Preliminary discussion: DB alias entries
hartmans at MIT.EDU
Fri Mar 13 10:54:32 EDT 2009
>>>>> "Luke" == Luke Howard <lukeh at padl.com> writes:
>> I meant to ask about this for some time, but always postponed
>> to gather some more info before asking :/ I tested a while back
>> if renaming users (changing krbPrincipalName via ldapmodify)
>> would work, and it didn't (I had to reset the secret as well
>> every time). I assume the fix you did would also resolve this
>> issue, it would be very cool.
Luke> Right, it should work; the salt should be stored with the
Luke> key, independently of the principal name, and if necessary
Luke> returned to the client in an ETYPE-INFO. Things are a
Luke> little more complicated for service principals, but
Luke> hopefully their names are less likely to change.
Our code doesn't store salts like that.
kadmind could be changed to do so.
More information about the krbdev